diff --git a/ams-cap-bookshop/pom.xml b/ams-cap-bookshop/pom.xml
index eaa526c..0f5c754 100644
--- a/ams-cap-bookshop/pom.xml
+++ b/ams-cap-bookshop/pom.xml
@@ -21,7 +21,7 @@
https://nodejs.org/dist/
UTF-8
- 4.2.1
+ 4.4.0
1.4.0
4.0.7
diff --git a/ams-cap-bookshop/srv/pom.xml b/ams-cap-bookshop/srv/pom.xml
index 27bc419..5367397 100644
--- a/ams-cap-bookshop/srv/pom.xml
+++ b/ams-cap-bookshop/srv/pom.xml
@@ -76,7 +76,6 @@
com.sap.cloud.security.ams
spring-boot-starter-cap-ams-test
- test
diff --git a/ams-cap-bookshop/srv/src/test/resources/application-test.yml b/ams-cap-bookshop/srv/src/test/resources/application-test.yml
index 9e031dc..cdbff26 100644
--- a/ams-cap-bookshop/srv/src/test/resources/application-test.yml
+++ b/ams-cap-bookshop/srv/src/test/resources/application-test.yml
@@ -3,6 +3,7 @@ spring:
sql:
init:
platform: h2
+sap.ams.test.enabled: true
logging.level:
com.sap.cds.security.authorization: TRACE
com.sap.cloud.security.ams: TRACE
diff --git a/ams-javalin-shopping/pom.xml b/ams-javalin-shopping/pom.xml
index ffab2e5..790b7ad 100644
--- a/ams-javalin-shopping/pom.xml
+++ b/ams-javalin-shopping/pom.xml
@@ -15,7 +15,7 @@
17
UTF-8
- 4.3.0
+ 4.4.0
1.4.0
0.31.0
7.2.2
diff --git a/ams-spring-boot-shopping/pom.xml b/ams-spring-boot-shopping/pom.xml
index 94c5b19..56f1ab8 100644
--- a/ams-spring-boot-shopping/pom.xml
+++ b/ams-spring-boot-shopping/pom.xml
@@ -24,7 +24,7 @@
17
UTF-8
3.5.10
- 4.3.0
+ 4.4.0
1.4.0
4.0.8
5.32.0
diff --git a/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java b/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java
index 6505780..19d488f 100644
--- a/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java
+++ b/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java
@@ -11,6 +11,7 @@
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;
+import static com.sap.cloud.security.ams.samples.config.Privileges.*;
import static org.springframework.http.HttpMethod.*;
/**
@@ -29,7 +30,7 @@
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
-@PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = { "" })
+@PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = {""})
public class SecurityConfiguration {
@Bean
@@ -41,17 +42,19 @@ public SecurityFilterChain filterChain(HttpSecurity http, AmsRouteSecurity via)
// Authenticated endpoints without authorization checks
authz.requestMatchers(GET, "/privileges").authenticated();
- // Endpoints protected with AMS method-level security
+ // CHOOSE ONE idiom below (route-level authorization + service-level filtering vs. full service-level authorization
+
+ // Idiom 1 (Full service-level authorization): these endpoints are protected with AMS method-level security
authz.requestMatchers(GET, "/products").authenticated();
authz.requestMatchers(GET, "/orders").authenticated();
authz.requestMatchers(POST, "/orders").authenticated();
authz.requestMatchers(DELETE, "/orders/**").authenticated();
- // Showcases alternative endpoint protection via AMS route-level security
- // authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS));
- // authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS));
- // authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS));
- // authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS));
+ // Idiom 2 (route-level authorization + service-level filtering) Showcases alternative endpoint protection via AMS route-level security (+ service-level filtering)
+ authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS));
+ authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS));
+ authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS));
+ authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS));
// Deny all other requests
authz.anyRequest().denyAll();